Encoder for Android: сomplete software anatomy

Until recently, based on the results of surveys and personal experience, I had the impression that users believe that the value of data stored on a device greatly exceeds the cost of the device itself. Why until recently? Well, the current US dollar exchange rate means that I haven’t seen such surveys among new iPhone users :).

The boom in ransomware and ransom Trojans encrypting the whole operating system or just the user’s data is the reason for the high cost of data stored on computers.

Putting on the black hat

Of course, we are not suggesting that our readers write malware. However, being security specialists, shouldn’t we be aware of how malicious hackers act? We mostly certainly do. Otherwise, how can we fight them? So, let’s put the black hat on and look at how coders who write personal information encoders for Android operate.

Yes, I intentionally shifted the emphasis to “personal information” encryption. The Android OS clearly distinguishes between user data and system files; so, writing a massively distributed blocker will present a rather laborious task. We need to somehow elevate the application’s privileges in the system, but because of the numerous devices and versions it is hard to create a universal algorithm. To extract money from a part of the population it is easier to attack the user’s data segment.

Bad news for the user

Bad news for the user

Doctor Web calls encryption Trojans the main threat for the consumer segment of the Internet. According to the company’s report, since 2013 they have received more than 8,500 requests for decryption of files encoded by encryption Trojans. By November 2015, these requests made up 60 % of all requests. In its report, Doctor Web honestly admits that the chance of recovering the encoded data is less than 10 %.

Access to files

At first, hackers access data on the device. This is no problem, we do it in nearly every article. We will need to add a couple of lines in the application’s manifest file.

When launched, the system will warn the user that the application needs access to the disk space, without giving a reason. This looks quite normal: you can think of thousands of quite legal reasons why the developer might need to save something or read something from the disk. The OS will not limit the application’s actions in the future, all files will be at our disposal.

Today, let’s just deal with photographs. First, we need to find the root directory for all images stored on the device. Depending on the OS version, the path to this folder may be a bit different, so let’s use the Environment class. This provides access to various environment variables; we need DIRECTORY_PICTURES.

Environment variables represent a convenient tool for storing dynamically changed information. They contain standard parameters required by many applications at the same time: path to folders with standard content (home directory, temporary file storage), default encryption etc.

To encode the file, we need to get its full path on the device; to do this, let’s use good old recursion. If the checked file is a directory, let’s call the method again, but for a different path this time. The “File” class will help us determine what exactly the checked path is. It contains isFile() and isDirectory methods which will perform the necessary examination.

As soon as we obtain the file path, we can start modifying it. The first encryption Trojans used unstable encoding algorithms: from changing the file extension to the application of XOR with a key stitched into the module. This approach allowed antivirus analysts to create encoders almost momentarily.

Today, we will go a couple of steps further and see how malware creators organize encoding to make further recovery of files possible only by asking the Trojan’s creator for a key.

Please subscribe to read full article

1 year

for only $5

With subscription you are free to read all of the materials of Hackmag.com.
Read more about the project

Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.